5 WordPress Security Essentials
Blogging can be a lot of fun and there is nothing more thrilling than having people appreciate your hard work by leaving comments and passing the word around about how great your blog is. Unfortunately along with all of your great fans there are also just as many bad guys out there that would love to deface and hack your beautiful creation. Here are five basic security tips that you can easily implement on your WordPress blog to try and keep the bad guys out.
Use a Strong Password - Choosing a good strong password is one of the first and easiest defenses against being hacked. Choosing your partners first name is probably not the most secure password. While there are many differing opinions out there on what makes a secure password here are some things to keep in mind. Passwords that are longer than 8 characters and contain a combination of upper and lowercase letters, numbers, and symbols creates a stronger password. I often don’t use special characters but will make passwords at least 10 characters long. If you need to create a strong password and don’t already use a password manager check out this great tool from LastPass to generate a strong your password.
Protect the WordPress Admin Folder - Stopping the bad guys from getting into the WordPress admin folder in the first place is an excellent place to start to secure your blog. There are many different ways to increase the security of your WordPress admin folder including:
- Using the WordPress Plugin - htaccess password protection for wp-admin. Nothing like adding an extra layer of protection by using some Basic HTTP Authentication on the wp-admin folder.
- Using the Login LockDown - WordPress Security Plugin to ban ip addresses from accessing the wp-admin login if they have had 3 failed login attempts within 5 minutes.
- Deny access to the WordPress admin folder by ip address. You can read more about this method over on Reuben Yau’s post Protecting the Wordpress wp-admin folder.
Deny Access to Other Folders - Many web hosts by default allow people to browse a folder if there is no default index.html file. This can be a security concern for folders like your WordPress plugins folder. You can prevent people from snooping in these folders by adding blank index.html files or setting up an htaccess file to prevent browsing of folders without indexes. You can read more on All Tips and Tricks.
Remove the WordPress Version - Many hackers are looking for vulnerable WordPress installs. You can slow them down by removing the WordPress version that is included in most themes by default. If you don’t want to dig around in the code of your theme you can install Blog Security’s bs-wp-noversion plugin: Removes WordPress Version to remove the WordPress version for you.
Update WordPress - Perhaps one of the easiest security essential to keeping your WordPress blog secure is to keep an eye on your WordPress dashboard for announcements of new releases of WordPress and to update your install as soon as you can. The same also goes for the plugins you run. WordPress 2.3 and up notify you when plugins have been updated. Take the time to update your plugins regularly to keep security concerns down to a minimum.
A very valuable page to read is the Hardening WordPress over at WordPress.org. By doing some very simple things you can make it more difficult for the bad guys to ruin your day by defacing or hacking your blog. A few minutes spent on these items can save you hours if your blog gets hacked. If the bad guys do happen to get in, restoring your blog is much easier if you have a recent backup of your website.
Comments
Simonne
Many thanks for mentioning my post. Secondly, do you have any idea, once a blog has been hacked and many of its posts are now redirected to another URL, what can be done to solve this problem? I'm in this situation and I just deleted the blog and used .htaccess to make a 301 redirect to a provisory page. But I'm losing the SERPs ranking I've been working hard on. Thanks.
Lee Robertson
Simonne, Thanks for stopping by! Sorry to hear about your blog. My first thought would be to wipe the blog and database and reinstall and restore the posts etc from a backup. Before you do that though you really need to find out how they got in. You also should change user names and passwords for the account and database. How are they redirecting to another URL? Did they inject something into the posts?
Simonne
Lee, thanks for the answer. I don't know how they got in, and it happened just before I left for the Christmas vacation, so I had no time to investigate more. I just wiped the site off the server. I'll try to do as you say. I suppose it has something to do with the database, because the few static pages I had were all OK. Probably there was some envious competitor (that was my business website, which started to rank well for some specific terms).
Lee Robertson
Best of luck getting it all sorted out. I have had to clean up sites after being hacked and it can be a lot of work.
AskApache
Lee, such simple and easy wordpress security tips. I'll be upgrading the http basic authentication plugin soon. Thanks for the buzz bro!
Lee Robertson
Thanks for stopping by! I have used your plugin on other WordPress sites and it works well. Thanks for such a great tool to help keep blogs secure. So often it is the simple things that get forgotten about and missed. I have seen WordPress blogs using older versions after a security release where the owner just does not want to upgrade. Sure enough their blog is compromised and then they have a lot of other problems to deal with.
Erica DeWolf
These are some easy and simple tips that should really help keep individuals' blogs safe. I'll be sure to implement a few, and I'm sure others will, too! Thanks!
Lee Robertson
Thanks for stopping by! They are simple tips that everyone can use. Just a few can help keep a blog more secure.
Obscurity to Popularity - Entrecard - Epiblogger
[...] 5 WordPress Security Essentials post from January 9 was submitted to StumbleUpon and has been sending Epiblogger a steady stream of [...]
Jonas
Thanks for the tips! There are good reasons for hardening your Wordpress install. Wordpress stores passwords in the database as hash made from the password. A common Unix practice is to add random seed to the hash but Wordpress does not do this. Should the password hash be revealed it could even be revealed by googling the hash!
Lee Robertson
Jonas, Thanks for stopping by. You are correct WordPress I believe just uses an MD5 hash of the password and stores it in the database. If someone can gain access to the database they could decode the password. To help prevent someone from gaining access to the database you can use htaccess to protect the wp-config file which contains the username and password for the database connection or move it off the web root.
» 6 modi per mettere in sicurezza i blog Wordpress Geekissimo
[...] Fonti: Daily Blog Tips | Epiblogger [...]
WordPress 2.3.3 Urgent Security Release - Epiblogger
[...] before you update your WordPress site to make a backup and of course don’t forget to use some basic security to keep your blog [...]
Guarding Your Wordpress Blog | BPWrap
[...] WordPress - WordPress Codex Three tips to protect your WordPress installation - Matt Cutts 5 WordPress Security Essentials - Lee Robertson How to Protect Your WordPress Site - Anita Campbell Protecting Your WordPress Blog [...]
Qualche consiglio sulla sicurezza del vostro blog (wordpress) | Sitissimo.com
[...] Daily Blog Tips | Epiblogger Trucco & Consiglio del giorno: Disabilitare la richiesta di riavvio di WindowsIl consiglio di [...]
links for 2008-05-07 | Gosdot
[...] 5 WordPress Security Essentials - Epiblogger (tags: security) [...]
Sicherheit / WordPress absichern
[...] http://www.epiblogger.net/5-wordpress-security-essentials/ [...]
Blog Spring Cleaning - Epiblogger
[...] Security - Review your security. 5 WordPress Security Essentials. [...]
johnhoma
How to subscribe to RSS feeds?
LGR
Do not have a lot of time right now. I personally use Google Reader, but there are others. Perhaps take a look at some of these other posts. Perhaps they can help you. <a href="http://lgr.ca/blog/2008/03/rss-what-where-why-and-how.html" rel="nofollow">RSS - What, Where, Why and How</a> <a href="http://lgr.ca/blog/2007/09/move-to-google-reader.html" rel="nofollow">Move to Google Reader</a>
Catalin
Very good tips. Another security trick is to change WP-admin folder name. The wordpress version must always be removed because old versions of wp have a lot of security problems.
Ed Norton
I personally think the last advice - to keep your CMS updated at all times to the latest version, is the most important one. I used to use Joomla in my previous projects and every time I didn't catch up with the update after security released my site had been hacked, no matter how strong passwords I used. Always update Wordpress after a security release. .-= Ed Norton´s last blog ..<a href="http://www.norton-soft.com/norton-internet-security" rel="nofollow">Norton Internet Security 2010</a> =-.
Kevin Airgid
Ask Apache is great! Love .htaccess nice way to lock stuff down!
LGR
Due to spammers comments now closed.